You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by va...@apache.org on 2023/05/02 16:55:37 UTC

[couchdb] branch 3.2.2-docs-cve-2023-26268 created (now 2cd9e8fca)

This is an automated email from the ASF dual-hosted git repository.

vatamane pushed a change to branch 3.2.2-docs-cve-2023-26268
in repository https://gitbox.apache.org/repos/asf/couchdb.git


      at 2cd9e8fca CVE-2023-2626 details doc update

This branch includes the following new commits:

     new 2cd9e8fca CVE-2023-2626 details doc update

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[couchdb] 01/01: CVE-2023-2626 details doc update

Posted by va...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

vatamane pushed a commit to branch 3.2.2-docs-cve-2023-26268
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 2cd9e8fcaf1db08327d34b9b6dbddba65832e604
Author: Nick Vatamaniuc <va...@gmail.com>
AuthorDate: Tue May 2 12:34:42 2023 -0400

    CVE-2023-2626 details doc update
---
 src/docs/src/cve/2023-26268.rst | 61 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/src/docs/src/cve/2023-26268.rst b/src/docs/src/cve/2023-26268.rst
new file mode 100644
index 000000000..d39f80c53
--- /dev/null
+++ b/src/docs/src/cve/2023-26268.rst
@@ -0,0 +1,61 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2023-26268:
+
+=========================================================================
+CVE-2023-26268: Apache CouchDB: Information sharing via couchjs processes
+=========================================================================
+
+:Date: 02.05.2023
+
+:Affected: 3.2.2 and below
+
+:Severity: Medium
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+Design documents with matching document IDs, from databases on the same
+cluster, may share a mutable Javascript environment when using these design
+document functions:
+
+  * validate_doc_update
+  * list
+  * filter
+  * filter views (using view functions as filters)
+  * rewrite
+  * update
+
+This doesn't affect map/reduce or search (Dreyfus) index functions.
+
+Mitigation
+==========
+
+CouchDB :ref:`3.2.3 <release/3.2.3>` and onwards matches Javascript execution
+processes by database names in addition to design document IDs when processing
+the affected design document functions.
+
+Workarounds
+===========
+
+Avoid using design documents from untrusted sources which may attempt to cache
+or store data in the Javascript environment.
+
+Credit
+======
+
+This issue was identified by `Nick Vatamaniuc`_
+
+.. _Nick Vatamaniuc: https://home.apache.org/phonebook.html?uid=vatamane